Bug 435101 - awstats cron-script is not compatible with SELinux
awstats cron-script is not compatible with SELinux
Status: CLOSED CURRENTRELEASE
Product: Fedora EPEL
Classification: Fedora
Component: awstats (Show other bugs)
el5
All Linux
low Severity low
: ---
: ---
Assigned To: Tim Jackson
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-27 06:49 EST by Stefan Schulze Frielinghaus
Modified: 2008-06-08 09:45 EDT (History)
1 user (show)

See Also:
Fixed In Version: 6.7-2.el5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-06-08 09:45:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch to remove "perl" from the cron-script (615 bytes, patch)
2008-02-27 06:49 EST, Stefan Schulze Frielinghaus
no flags Details | Diff

  None (edit)
Description Stefan Schulze Frielinghaus 2008-02-27 06:49:59 EST
Description of problem:
The cron-script of awstats (/etc/cron.hourly/awstats) executes awstats like this:

exec perl /usr/share/awstats/tools/awstats_updateall.pl

But this is a problem with SELinux because a type transition cannot occur. To
solve this easily drop the "perl" command:

exec /usr/share/awstats/tools/awstats_updateall.pl

Now the cron-script runs under the type of the file
"/usr/share/awstats/tools/awstats_updateall.pl".

Additionally the SELinux readme is out of date because a SELinux policy for
awstats is already included (only for Fedora, RHEL will follow in the next
releases).
Comment 1 Stefan Schulze Frielinghaus 2008-02-27 06:49:59 EST
Created attachment 296048 [details]
Patch to remove "perl" from the cron-script
Comment 2 Tim Jackson 2008-03-01 11:46:05 EST
I'm sure you're right, because my SELinux knowledge is limited. However, could
you describe how to demonstrate this failing? If I run /etc/cron.hourly/awstats
on a machine with SELinux enabled, it doesn't seem to cause any obvious problems
- I don't see any SELinux errors and the stats update runs successfully.
Comment 3 Stefan Schulze Frielinghaus 2008-03-02 07:41:36 EST
(In reply to comment #2)
> I'm sure you're right, because my SELinux knowledge is limited. However, could
> you describe how to demonstrate this failing? If I run /etc/cron.hourly/awstats
> on a machine with SELinux enabled, it doesn't seem to cause any obvious problems
> - I don't see any SELinux errors and the stats update runs successfully.

I guess you are using SELinux targeted policy:
$ cat /etc/selinux/config | grep "^SELINUXTYPE"

The targeted policy is very relaxed and only secures several daemons like httpd,
samba and so on. Scripts running locally and therefor from cron are not
considered to be a security problem. This means they run under full access (type
unconfined_t) and do not cause any error messages or something like this.

If you are using the SELinux strict policy then you will definitely run into
some AVC errors. Simply install the strict policy by "yum install
selinux-policy-strict". But I would suggest to use a test environment for this
because it could break some daemons/apps or whatever.

The main problem with the cron script is that SELinux only does a type
transition if you do it programmatically or via an execve() call. The latter
isn't the case because you call "exec perl awstats.pl". This means that cron
(running as system_crond_t for the scripts) executes perl (which results in an
execve() call but /usr/bin/perl is labeled as bin_t) and in the end the awstats
script runs under system_crond_t. If you would simply left out the perl command
then the cron daemon would call the awstats.pl file directly resulting in an
execve() call and while the awstats.pl script is labeled as awstats_exec_t a
domain transition would occur.

I hope I could make it a little bit more clear.
Comment 4 Fedora Update System 2008-03-16 03:17:09 EDT
awstats-6.7-3.fc8 has been submitted as an update for Fedora 8
Comment 5 Tim Jackson 2008-03-16 06:40:36 EDT
Fix has been checked into CVS; new package will be built soon.
Comment 6 Fedora Update System 2008-03-16 15:29:35 EDT
awstats-6.7-3.fc8 has been pushed to the Fedora 8 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update awstats'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F8/FEDORA-2008-2522
Comment 7 Fedora Update System 2008-04-01 17:35:46 EDT
awstats-6.7-3.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Tim Jackson 2008-05-13 04:05:55 EDT
Built in plague for EL-5 (job ID 38986)
Comment 9 Stefan Schulze Frielinghaus 2008-06-08 09:45:52 EDT
The new version 6.7-2.el5 fixed the problem therefore I closed the bug.

Note You need to log in before you can comment on or make changes to this bug.